udev_var_run_t is used for managing files in /etc/udev/rules.d as well as other files, including udev pid files. This patch creates a type specifically for rules.d files, and an interface for managing them. It also gives access to this type to initrc_t so that rules can be properly populated during startup. This also fixes a problem on Gentoo where udev rules are NOT properly populated on startup.
Signed-off-by: Chris Richards <[email protected]>
---
policy/modules/system/init.te | 1 +
policy/modules/system/udev.fc | 2 +-
policy/modules/system/udev.if | 19 +++++++++++++++++++
policy/modules/system/udev.te | 6 ++++++
4 files changed, 27 insertions(+), 1 deletions(-)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 04d5792..11a369b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -794,6 +794,7 @@ optional_policy(`
optional_policy(`
udev_rw_db(initrc_t)
udev_manage_pid_files(initrc_t)
+ udev_manage_rules_files(initrc_t)
')
optional_policy(`
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 53c2e97..0291685 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -6,7 +6,7 @@
/etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
-/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0)
/etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 7a47b45..12489cb 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -213,3 +213,22 @@ interface(`udev_manage_pid_files',`
files_search_var_lib($1)
manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
')
+
+########################################
+## <summary>
+## Manage udev rules files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_manage_rules_files',`
+ gen_require(`
+ type udev_rules_t;
+ ')
+
+ manage_dirs_pattern($1, udev_rules_t, udev_rules_t)
+ manage_files_pattern($1, udev_rules_t, udev_rules_t)
+')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 3f0a14e..af1f4e4 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -21,6 +21,9 @@ files_config_file(udev_etc_t)
type udev_tbl_t alias udev_tdb_t;
files_type(udev_tbl_t)
+type udev_rules_t;
+files_type(udev_rules_t)
+
type udev_var_run_t;
files_pid_file(udev_var_run_t)
@@ -64,6 +67,9 @@ allow udev_t udev_etc_t:file read_file_perms;
allow udev_t udev_tbl_t:file manage_file_perms;
dev_filetrans(udev_t, udev_tbl_t, file)
+list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
+read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
+
manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
--
1.6.4.4
On Fri, 2010-04-16 at 06:27 +0000, Chris Richards wrote:
> udev_var_run_t is used for managing files in /etc/udev/rules.d as well as other files, including udev pid files. This patch creates a type specifically for rules.d files, and an interface for managing them. It also gives access to this type to initrc_t so that rules can be properly populated during startup. This also fixes a problem on Gentoo where udev rules are NOT properly populated on startup.
Why does the new interface have more access than the old one (it
includes manage_dirs_pattern)?
The interface in the .if should also be moved up after
udev_dontaudit_rw_dgram_sockets().
> Signed-off-by: Chris Richards <[email protected]>
> ---
> policy/modules/system/init.te | 1 +
> policy/modules/system/udev.fc | 2 +-
> policy/modules/system/udev.if | 19 +++++++++++++++++++
> policy/modules/system/udev.te | 6 ++++++
> 4 files changed, 27 insertions(+), 1 deletions(-)
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 04d5792..11a369b 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -794,6 +794,7 @@ optional_policy(`
> optional_policy(`
> udev_rw_db(initrc_t)
> udev_manage_pid_files(initrc_t)
> + udev_manage_rules_files(initrc_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
> index 53c2e97..0291685 100644
> --- a/policy/modules/system/udev.fc
> +++ b/policy/modules/system/udev.fc
> @@ -6,7 +6,7 @@
>
> /etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
>
> -/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
> +/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0)
> /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
>
> /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
> diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
> index 7a47b45..12489cb 100644
> --- a/policy/modules/system/udev.if
> +++ b/policy/modules/system/udev.if
> @@ -213,3 +213,22 @@ interface(`udev_manage_pid_files',`
> files_search_var_lib($1)
> manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
> ')
> +
> +########################################
> +## <summary>
> +## Manage udev rules files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`udev_manage_rules_files',`
> + gen_require(`
> + type udev_rules_t;
> + ')
> +
> + manage_dirs_pattern($1, udev_rules_t, udev_rules_t)
> + manage_files_pattern($1, udev_rules_t, udev_rules_t)
> +')
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index 3f0a14e..af1f4e4 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -21,6 +21,9 @@ files_config_file(udev_etc_t)
> type udev_tbl_t alias udev_tdb_t;
> files_type(udev_tbl_t)
>
> +type udev_rules_t;
> +files_type(udev_rules_t)
> +
> type udev_var_run_t;
> files_pid_file(udev_var_run_t)
>
> @@ -64,6 +67,9 @@ allow udev_t udev_etc_t:file read_file_perms;
> allow udev_t udev_tbl_t:file manage_file_perms;
> dev_filetrans(udev_t, udev_tbl_t, file)
>
> +list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
> +read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
> +
> manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
> manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
> manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
--
Chris PeBenito
Tresys Technology, LLC
Under udev_var_run_t, initrc_t didn't have the permissions to write to
that directory (specifically to create a new directory). udev-postmount
attempts to create a temporary directory ".temp.${pid}" to see if the
directory is writable. If it is, then udev-postmount continues by
copying the rules into /etc/udev/rules.d. If not, then it skips that
step entirely. I didn't want to give that kind of permission to
udev_var_run_t, since it would also apply to pid files, run files, and a
bunch of other stuff that initrc_t accesses using that label, which was
why I created the udev_rules_t type.
The logic that Gentoo uses (creating the dir to check for write
permissions) MIGHT be Gentoo specific, since Fedora (and, presumably
RHEL) doesn't do that (it just assumes it has write access). However, I
don't know about Debian or SuSE and their derivatives.
Actually, for that part, it might be smarter to submit a patch to Gentoo
to change how the udev-postmount script works, now that I think a bit
more about it.
Later,
Chris
On 04/27/2010 08:10 AM, Christopher J. PeBenito wrote:
> On Fri, 2010-04-16 at 06:27 +0000, Chris Richards wrote:
>
>> udev_var_run_t is used for managing files in /etc/udev/rules.d as well as other files, including udev pid files. This patch creates a type specifically for rules.d files, and an interface for managing them. It also gives access to this type to initrc_t so that rules can be properly populated during startup. This also fixes a problem on Gentoo where udev rules are NOT properly populated on startup.
>>
> Why does the new interface have more access than the old one (it
> includes manage_dirs_pattern)?
>
> The interface in the .if should also be moved up after
> udev_dontaudit_rw_dgram_sockets().
>
>
>> Signed-off-by: Chris Richards<[email protected]>
>> ---
>> policy/modules/system/init.te | 1 +
>> policy/modules/system/udev.fc | 2 +-
>> policy/modules/system/udev.if | 19 +++++++++++++++++++
>> policy/modules/system/udev.te | 6 ++++++
>> 4 files changed, 27 insertions(+), 1 deletions(-)
>>
>> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
>> index 04d5792..11a369b 100644
>> --- a/policy/modules/system/init.te
>> +++ b/policy/modules/system/init.te
>> @@ -794,6 +794,7 @@ optional_policy(`
>> optional_policy(`
>> udev_rw_db(initrc_t)
>> udev_manage_pid_files(initrc_t)
>> + udev_manage_rules_files(initrc_t)
>> ')
>>
>> optional_policy(`
>> diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
>> index 53c2e97..0291685 100644
>> --- a/policy/modules/system/udev.fc
>> +++ b/policy/modules/system/udev.fc
>> @@ -6,7 +6,7 @@
>>
>> /etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
>>
>> -/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
>> +/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0)
>> /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
>>
>> /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
>> diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
>> index 7a47b45..12489cb 100644
>> --- a/policy/modules/system/udev.if
>> +++ b/policy/modules/system/udev.if
>> @@ -213,3 +213,22 @@ interface(`udev_manage_pid_files',`
>> files_search_var_lib($1)
>> manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
>> ')
>> +
>> +########################################
>> +##<summary>
>> +## Manage udev rules files
>> +##</summary>
>> +##<param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +##</param>
>> +#
>> +interface(`udev_manage_rules_files',`
>> + gen_require(`
>> + type udev_rules_t;
>> + ')
>> +
>> + manage_dirs_pattern($1, udev_rules_t, udev_rules_t)
>> + manage_files_pattern($1, udev_rules_t, udev_rules_t)
>> +')
>> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
>> index 3f0a14e..af1f4e4 100644
>> --- a/policy/modules/system/udev.te
>> +++ b/policy/modules/system/udev.te
>> @@ -21,6 +21,9 @@ files_config_file(udev_etc_t)
>> type udev_tbl_t alias udev_tdb_t;
>> files_type(udev_tbl_t)
>>
>> +type udev_rules_t;
>> +files_type(udev_rules_t)
>> +
>> type udev_var_run_t;
>> files_pid_file(udev_var_run_t)
>>
>> @@ -64,6 +67,9 @@ allow udev_t udev_etc_t:file read_file_perms;
>> allow udev_t udev_tbl_t:file manage_file_perms;
>> dev_filetrans(udev_t, udev_tbl_t, file)
>>
>> +list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
>> +read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
>> +
>> manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
>> manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
>> manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
>>
>
On 04/27/2010 09:34 AM, Chris Richards wrote:
> Actually, for that part, it might be smarter to submit a patch to Gentoo
> to change how the udev-postmount script works, now that I think a bit
> more about it.
>
>
I've submitted a bug report to Gentoo, along with a patch modifying the
behavior of the udev-postmount script so that it doesn't trip the
alarms. That renders the rest of this policy change more of a
philosophical discusssion than an actual requirement.
Philosophically, should we really have udev_var_run_t managing files in
/etc/udev/rules.d?
On the other hand, it isn't actually harming anything at the moment, so
there's some argument to be made for the "if it ain't broke" school of
thought.
My thought is to go ahead and change this. It should be a low impact
change. Near as I can tell only the init script currently has access to
udev_var_run_t, via the udev_manage_pid_files interface. All other
access is controlled with the udev policy, and amounts to manage dirs,
manage files, manage links, and a filetrans. But I might be missing the
bigger picture here. As an SElinux n00b, I'm open and interested in
other thoughts.
Later,
Chris
On Fri, 2010-04-16 at 06:27 +0000, Chris Richards wrote:
> udev_var_run_t is used for managing files in /etc/udev/rules.d as well as other files, including udev pid files. This patch creates a type specifically for rules.d files, and an interface for managing them. It also gives access to this type to initrc_t so that rules can be properly populated during startup. This also fixes a problem on Gentoo where udev rules are NOT properly populated on startup.
Merged.
> Signed-off-by: Chris Richards <[email protected]>
> ---
> policy/modules/system/init.te | 1 +
> policy/modules/system/udev.fc | 2 +-
> policy/modules/system/udev.if | 19 +++++++++++++++++++
> policy/modules/system/udev.te | 6 ++++++
> 4 files changed, 27 insertions(+), 1 deletions(-)
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 04d5792..11a369b 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -794,6 +794,7 @@ optional_policy(`
> optional_policy(`
> udev_rw_db(initrc_t)
> udev_manage_pid_files(initrc_t)
> + udev_manage_rules_files(initrc_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
> index 53c2e97..0291685 100644
> --- a/policy/modules/system/udev.fc
> +++ b/policy/modules/system/udev.fc
> @@ -6,7 +6,7 @@
>
> /etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
>
> -/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
> +/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0)
> /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
>
> /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
> diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
> index 7a47b45..12489cb 100644
> --- a/policy/modules/system/udev.if
> +++ b/policy/modules/system/udev.if
> @@ -213,3 +213,22 @@ interface(`udev_manage_pid_files',`
> files_search_var_lib($1)
> manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
> ')
> +
> +########################################
> +## <summary>
> +## Manage udev rules files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`udev_manage_rules_files',`
> + gen_require(`
> + type udev_rules_t;
> + ')
> +
> + manage_dirs_pattern($1, udev_rules_t, udev_rules_t)
> + manage_files_pattern($1, udev_rules_t, udev_rules_t)
> +')
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index 3f0a14e..af1f4e4 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -21,6 +21,9 @@ files_config_file(udev_etc_t)
> type udev_tbl_t alias udev_tdb_t;
> files_type(udev_tbl_t)
>
> +type udev_rules_t;
> +files_type(udev_rules_t)
> +
> type udev_var_run_t;
> files_pid_file(udev_var_run_t)
>
> @@ -64,6 +67,9 @@ allow udev_t udev_etc_t:file read_file_perms;
> allow udev_t udev_tbl_t:file manage_file_perms;
> dev_filetrans(udev_t, udev_tbl_t, file)
>
> +list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
> +read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
> +
> manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
> manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
> manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com